A well-known cybersecurity problem is that attacks get progressively creative, challenging online security professionals and resulting in them frequently seeing attacks on an unprecedented scale. Which examples have pushed the boundaries most?
1. The Dyre Banking Scam
Hackers like targeting the most lucrative sectors, so it’s no surprise banks frequently feature in cyberattacks. They’re either the businesses under threat or the subjects meant to entice consumers to take specific actions after receiving emails that seem to come from their banking institutions.
A banking-specific scam first detected in 2014 used Dyre malware, which compromised victims’ browsers and stole credentials to log into financial institutions’ platforms and other secured interfaces. The scam started when someone received an email attachment supposedly containing an unpaid invoice. Additionally, the attachments contained malware designed to exploit unpatched vulnerabilities in recipients’ Adobe Reader software.
These aspects showed creative thinking on the cybercriminals’ behalf. First, they knew such a vague but relevant-sounding attachment name about an invoice would catch people’s interest. Since life can get so hectic, someone might occasionally forget to pay for things. Spelling mistakes in the file name were hallmark characteristics of this cyberattack, but criminals presumably hoped people wouldn’t notice or care.
The scammers also rightfully assumed their targets would not update their Adobe software frequently enough, creating many potential entry points for enterprising hackers. Once someone fell for the trick and downloaded the attachment, the malware copied itself and made the seemingly innocent “Google Update Service” on the person’s computer. It then set registry keys and began logging keystroke data before sending it to hackers.
As of 2016, United States government authorities said all major antivirus software vendors’ products had detected this threat. However, the detection requires people to use and update such tools regularly.
Bank employees carry out stringent know-your-customer procedures to prevent fraud and establish risk profiles. Those are undoubtedly necessary, but this scam shows how easily things can go wrong when customers fall for malware.
2. The WPP Deepfake Scam
As technologies have advanced, cybercriminals’ creativity in exploiting them has, too. Artificial intelligence (AI) has become so believable that consumers have had to learn they can’t necessarily trust everything they see or hear due to elaborate deepfakes.
The state of things came to the forefront for Mark Read, the CEO of WPP, a British multinational advertising and public relations company. The executive recently detailed a deepfake scam that exploited numerous platforms and media types.
Read explained how hackers set up a new WhatsApp account and used a publicly available image of him as the profile picture. They used it to schedule a meeting on Microsoft Teams with another senior executive who thought they were engaging with Read.
During the meeting, the cybercriminals deployed a voice clone and YouTube footage of Read, all while simultaneously interacting in the Microsoft Teams chat window to pose as him and fool the other attendee with material that looked, sounded and read like the leader. The goal was to convince an agency head to set up a new business, after which the scammers would get financial and personal details from them.
This scam failed, and Read attributed that result to his company’s vigilance, including that of the targeted executive who did not respond as the hackers’ hoped. The CEO pointed out how everyone must be on guard against increasingly elaborate tricks, including those going beyond someone’s email inbox.
Some tech experts suggest the blockchain is ideal for securing people’s vocal characteristics and preventing malicious parties from tampering with authenticated clips. However, since the voices of well-known figures are on television, the radio, YouTube and even audiobooks, motivated cybercriminals have plenty of data to use.
3. Misleading AI Ads Targeting Small Businesses
No company or person is wholly safe from cyber scams, but the effects of successfully orchestrated attacks are more disastrous for some victims than others. Small businesses are excellent examples because such organizations often lack the resources to recover fully and quickly.
However, as a 2023 study showed, 73% of small businesses experienced cyberattacks, data breaches or both during the previous year. A 2024 report found cyberattacks were the top concern for 60% of respondents, suggesting those polled understand the threat’s severity.
Unfortunately, scammers know small-business owners are excellent targets and may prey on victims’ desire to improve their workflows with new tech. Such was the case with a scam against small businesses that caught Google executives’ attention and resulted in company lawsuits against scammers.
The tactics centered on Google Bard — the large language model now known as Gemini. The tech company’s first lawsuit was against bad actors who created social media profiles and advertisements encouraging small-business owners to download Bard.
However, Google did not require people to download anything to use it; instead, it integrated the tool into many of its existing products. Those who fell for this scam expected that downloading something would let them use Bard. Instead, it gave them malware that compromised their social media profiles.
From April to November 2023, Google filed approximately 300 takedown notices associated with this scam. It sought an order to prevent criminals from setting up similar sites and deactivating those currently on file with domain registrars.
This scam stood out for creativity because it capitalized on Google’s brand recognition and people’s interest in trying a new product to make business operations more convenient.
Truths Mixed With Lies
These creative cyber scams prove those orchestrating them will stop at nothing to achieve their aims. Even when the efforts don’t pay off — as in the WPP deepfake case — they become warnings that people must always be on guard for things not being as they seem. After all, most online scams have truthful elements mixed with falsities.
There was a product called Google Bard, but using it did not require downloading software. Mark Read is WPP’s CEO, but he never arranged or participated in that meeting about establishing a new business. These cases highlight the importance of thinking carefully before acting and verifying claims before making decisions that could have catastrophic consequences.
This article was originally published by Zac Amos on HackerNoon.